Oct 17, 2021 3 min read

Moving Beyond the FUD

Post about how we as an industry have to become a bit more pragmatic with our messaging.

FUD; Fear, Uncertainty and Doubt. Unfortunately it is something all too common in our industry. There are different reasons for this. Some of them are accidental, such as being caught up in the moment (I know that I have certainly been guilty of this myself). While others certainly are not, most often trying to leverage the situation for personal gain. For me this is one of the more dangerous aspects of information security. We don't want to be seen as the one's who cry wolf. We have to try be as consistent with our messaging as possible. I even wrote a post on this some time back.

I'd like to use the most recent iOS update as an example. We had things such as "Breaking News". Well the reality was that for most people it wasn't a big thing. The patch did fix a known vulnerability that was actively being exploited. But that exploit was not trivial to pull off, and likely to only be a targeted attack. We have yet to see mass exploitation of this vulnerability. My advice was simple, don't panic but update as soon as you could. Instead we had some setting the expectation that if you didn't immediately patch your device was almost certain to be taken over by the evil villains. The vulnerability itself was a local privilege exploit (LCE), which meant the attacker required their victim to essentially act on their behalf (click on a malicious link or install a malicious app) or chain it with other vulnerabilities. This is not easy task, especially for a fully patched device. In the past we had far worse vulnerabilities that were remotely accessible.  

I even put out a Tweet covering much of what I'm trying to cover in this post:

We need to stop treating everyone the same. Different people have different threat models and just as importantly, threat tolerances. We have to be more pragmatic when it comes to these things. I totally understand the need to get the importance of patching and updating, but we should stress those when it is absolutely vital. Not every 0-day means users are going to be immediately placed at risk. There are so many things to consider, even from the attacker perspective. Are they going to really burn that 0-day? How easy is it for them to pull off? What will their success rate look like? In many cases attackers can do the really trivial things such as password spraying and credential stuffing; having significant success with relatively little effort. If I were an attacker, this is where I would focus my efforts. Looking at some things like the top 10 password lists, I'm almost guaranteed to have some degree of success. Not some 0-day where I need the stars to align in order for me to successfully comprise a handful of victims. Let me put it another way, look at the most recent breaches and incidents. How many of those were from 0-day? How many were from things such as phishing attacks and misconfigurations?

As I also said, I fear that in many cases the FUD is essentially being used to drive things from, let's just call it, marketing purposes. While I appreciate there is a line, and a need to leverage some incidents to show how your product and/or service could help, crying terms such as "Breaking News" just screams FUD to me. Show me why it is so important. Show me how your product and/or service can help. Don't just scream on the likes of social media how the sky is going to fall. All that we risk is coming across at the ones who constantly fearmonger, the "ones who cry wolf". We need to take a step back and place ourselves in the shoes of those who were are trying to protect.

Take a look at it from their perspective, and more importantly assess the risk from their perspective. This is something which we do all too often, look at things from our bubbles. Things aren't black and white, they are all shades. Being a bit more pragmatic when it comes to our messaging should hopefully go a long way in helping those who we really are aiming to help. We need to also put in a message that those people can understand. The vast majority aren't going to care about things such as LCE, entropy, kernel privileges, etc. They will want to know a) are they affected and if so b) how likely are they to become a victim; and finally c) what should they do about it. The rest is likely meaningless to them.

Sean Wright
Sean Wright
Experienced application security engineer with an origin as a software developer. Primarily focused on web-based application security with a special interest in TLS and supply chain related subjects.
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Sean Wright.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.